Malware-based attacks against utilities and power plants are increasing six-fold according to a recent federal report. Power plants have become an appealing target because of a lack of detection and monitoring capabilities within their networks.
While North American Electric Reliability Corp. Critical Infrastructure Protection (NERC-CIP) standards address basic security issues for control centers, power generation, and substation environments at utility companies, extending similar protection to other industrial facilities at these companies is challenging for those that don’t utilize cloud technology.
Some North American power plants have separate security teams for industrial and corporate environments, but chief information security officers (CISOs) should be responsible for cybersecurity across all environments in their organizations. The control systems that operate these environments were designed decades ago before cybersecurity was a part of the design.
While the CISO’s office has responsibility for cybersecurity, it has minimal authority or control over the operational technology (OT) teams that operate these industrial environments. The top priority for these OT teams is to ensure constant availability of their environments (Figure 1), but the majority of power plants do not have adequate staff to operate and maintain complex security infrastructures. Organizations such as EnergySec and the National Rural Electric Cooperative Association are working to provide assistance through a common set of controls, threat intelligence, and remote assistance—but that’s not enough to combat the dangers of recent attacks.
Recent Malware-Based Attacks
Attacks on companies that operate critical infrastructure, such as power plants, can be devastating. Malware attacks in the past five years have demonstrated a need for security controls across all environments, as well as the need to provide more sophisticated security. Some examples include:
■ BlackEnergy made a comeback in December 2015, when it was used to attack the electrical power grid in the Ukraine, gaining control of the corporate networks, and disconnecting substations from the grid.
■ Industroyer is designed to attack electrical grids by disrupting industrial control system (ICS) environments. It is particularly dangerous since it can directly control the switches and circuit breakers in electrical substations. When it was used to attack Ukraine’s power grid in December 2016, parts of the state capital Kiev had no electrical power for an hour as a result of the attack.
■ Triton demonstrated the unintentional exploit of a safety system, impacting Triconex safety controllers at an oil and gas plant in the Middle East between August and December 2017.
These attacks are the turning point in power plant security, as it demonstrates that hackers can cause physical damage by sabotaging safety systems. In addition, they were a wakeup call for utilities to consistently monitor their entire industrial asset base, including those areas regulated by NERC-CIP as well as those that aren’t. Adversaries have the ability to persist undetected for months in utility networks, while gaining a knowledge of the industrial process to use it against itself. Ensuring consistent security monitoring across all industrial environments, even those not subject to compliance controls, is the most effective way to holistically secure the organization.
Necessary Security Controls
The use of cloud security by investor-owned utilities, publicly owned utilities, and cooperatives is different, but the challenges are similar across the board. The top 100 large independently owned utilities have built out security operation centers to effectively manage the majority of these areas in their business and are expanding these capabilities to their OT assets. However, other utilities struggle with the manpower necessary to effectively manage either environment. Furthermore, the current NERC-CIP compliance controls provide an uncertain stance on the designation and management of this information in the cloud, making it difficult to effectively triage events and gain visibility and forensics in key areas of operations.
A cloud security platform can provide utility companies with the necessary security controls to protect from malware attacks, while minimizing additional staffing requirements. Threat intel curated by the cloud security vendor and continuously updated through the platform reduces the strain on utility security personnel. Additionally, cloud delivery can ensure a single point of visibility into threat activity across any of the network segments.
Power plants and other industrial utility companies are realizing that connecting previously air-gapped industrial environments to the internet is accompanied by automation efficiencies and productivity improvements, and they are also becoming keenly aware of the vulnerability of the ICSs that control these environments. As hackers advance their methods, power plants and other utilities face challenges in implementing a set of security controls that are effective against sophisticated malware attacks. CISOs can add cloud-based security offerings to augment the security of NERC-CIP standards and provide analysts with a complete look at security events. As standards evolve, they should provide clarity on the use of cloud-based security in these environments. ■
—David Hatchell is vice president of industrial security at ProtectWise.